git.ipfire.org Git - people/ms/linux.git/commit

author	Olga Kornievskaia <kolga@netapp.com>
	Fri, 19 Feb 2021 22:22:33 +0000 (17:22 -0500)
committer	Paul Moore <paul@paul-moore.com>
	Mon, 22 Mar 2021 19:01:45 +0000 (15:01 -0400)
commit	ec1ade6a0448e3bfb07bb905aca1bc18836220c7
tree	306efdd474c9289e61e13483a35c5dc868c74232	tree \| snapshot
parent	8c6d76a3144154773339be5e29c8bf42586dc3d1	commit \| diff

nfs: account for selinux security context when deciding to share superblock

Keep track of whether or not there were LSM security context
options passed during mount (ie creation of the superblock).
Then, while deciding if the superblock can be shared for the new
mount, check if the newly passed in LSM security context options
are compatible with the existing superblock's ones by calling
security_sb_mnt_opts_compat().

Previously, with selinux enabled, NFS wasn't able to do the
following 2mounts:
mount -o vers=4.2,sec=sys,context=system_u:object_r:root_t:s0
<serverip>:/ /mnt
mount -o vers=4.2,sec=sys,context=system_u:object_r:swapfile_t:s0
<serverip>:/scratch /scratch

2nd mount would fail with "mount.nfs: an incorrect mount option was
specified" and var log messages would have:
"SElinux: mount invalid. Same superblock, different security
settings for.."

Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
[PM: tweak subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>

fs/nfs/fs_context.c		diff \| blob \| blame \| history
fs/nfs/internal.h		diff \| blob \| blame \| history
fs/nfs/super.c		diff \| blob \| blame \| history
include/linux/nfs_fs_sb.h		diff \| blob \| blame \| history